[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 557/04 - iDEFENSE Security Advisory 10.07.04 RealNetworks Helix Server Content-Length Denial of Service Vulnerability



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 557/04 dated 08.10.04  Time: 15:50 
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

iDEFENSE Security Advisory 10.07.04  RealNetworks Helix Server Content-Length Denial of
Service Vulnerability.

Detail
====== 

Remote exploitation of a denial of service (DoS) vulnerability in RealNetworks, Inc.'s 
Helix Server could allow an attacker to restart and potentially disable the server.




           ESB-2004.0633 -- iDEFENSE Security Advisory 10.07.04  RealNetworks Helix Server
                       Content-Length Denial of Service Vulnerability
                              8 October 2004


Product:                RealNetworks Helix Universal Server version 9
                        RealNetworks Helix Universal Mobile Server & Gateway version 10
Publisher:              iDEFENSE
Operating System:       Linux variants
                        Solaris
                        Windows
Impact:                 Denial of Service
Access:                 Remote/Unauthenticated
CVE Names:              CAN-2004-0774
Original Bulletin URL:  http://www.idefense.com/application/poi/display?id=151

- - --------------------------BEGIN INCLUDED TEXT--------------------

RealNetworks Helix Server Content-Length Denial of Service Vulnerability

iDEFENSE Security Advisory 10.07.04: www.idefense.com/application/poi/display?id=151&type=vulnerabilities
October 7, 2004

I. BACKGROUND

RealNetworks Helix Universal Server is a universal digital media delivery platform with industry leading performance, integrated content distribution and Web services support. More information is available at http://www.realnetworks.com.

II. DESCRIPTION

Remote exploitation of a denial of service (DoS) vulnerability in RealNetworks, Inc.'s Helix Server could allow an attacker to restart and potentially disable the server.

The problem specifically exists in the handling of specially crafted POST requests. Generating a request with the Content-Length header set to -1 triggers an integer handling error resulting in mass utilization of memory and CPU time.

III. ANALYSIS

Any unauthenticated remote attacker can exploit this vulnerability, which causes the affected system to utilize mass amounts of memory and CPU time. The system will no longer be able to process future requests.

The affected server must be restarted in order to resume normal functionality.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in RealNetworks Helix Server version 9.0.2 for Linux and version 9.0.3 for Windows. It is suspected that earlier versions on both platforms are vulnerable as well.

V. WORKAROUND

Usage of an inline application level filter can help mitigate risk of exploitation by scanning for and filtering invalid Content-Length parameters.

VI. VENDOR RESPONSE

"Customers are encouraged to upgrade their Server software to the latest version, which contains a security patch."

RealNetworks has released binaries that guard against the described vulnerability. The related advisory from RealNetworks is available at:

    http://service.real.com/help/faq/security/security100704.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0774 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

07/01/2004   Initial vendor notification
07/01/2004   iDEFENSE clients notified
08/05/2004   Initial vendor response
10/07/2004   Coordinated public Disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@xxxxxxxxxxxx for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

- - --------------------------END INCLUDED TEXT--------------------

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of iDEFENSE for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQWanqIpao72zK539AQG+pQQAiLhbISKw4nfJhrWIH/rDOZwjpxaJkBoN
R1GtTApFAyiOhnmPDeJc9nH8rLtQD6TEFeUOaJMJ0JnJLroFicLkhTrJRJVC6cSE
hW846pBCbWcVSHOlKu6zD1kX2u5aT5KU0uqUksuLCf8RBAiBYHttfybUKKhC82CS
gFxdIsBIqMo=
=VnJf
-----END PGP SIGNATURE-----